Ranged bounties: a flexible and granular bounty mechanism
By Yannick Merckx
August 1, 2023
At Intigriti, we are continually enhancing our platform to better serve our community. Today, we’re introducing a significant update: ranged bounties. This addition provides program editors the ability to define minimum and maximum bounty amounts per severity level. As a step towards increased flexibility, ranged bounties offer an alternative mechanism for assigning value to vulnerability findings based on their severity score.
What does ranged bounties entail?
Previously, the Intigriti platform allowed program editors to define a fixed bounty amount based on the metadata of a submission. With ranged bounties, you can now set flexible bounty ranges based on severity levels. These bounty ranges can be enabled or disabled per program and are available for both Hybrid and Continuous programs.
The possible bounty for a submission will be calculated using the CVSS score, the minimum range amount for the severity, and the maximum range amount for the same severity. In instances where a CVSS score isn’t available, the minimum range amount will be used to calculate the bounty.
Figure 1: comparison between fixed bounties and ranged bounties. Ranged bounties provide greater flexibility and precision, whereas fixed bounties offer a more direct and simple bounty approach.
Getting started with ranged bounties
When defining the bounties of your program, you are presented with two choices:
– Fixed bounties: This traditional model allows program editors to establish a set bounty amount for each severity level. Once set, these bounty amounts remain constant for all submissions of a particular severity, providing a straightforward reward system.
– Ranged bounties: A more advanced approach, ranged bounties allow program editors to define a minimum and maximum bounty amount for each severity level. This range enables a more granular reward system. Submissions’ severities are mapped to CVSS scores, which in turn determine the possible bounty within the set range. Program members can manually override the severity level if needed, and in cases where no CVSS score is available, the minimum range amount will be used.
Note: By default, ranged bounties are disabled and need to be manually activated by your customer success manager.
What to expect from ranged bounties
Once ranged bounties are enabled, the minimum and maximum amounts will be made available in the external API V2.1 and (custom) reporting.
An important aspect of the ranged bounties feature is its integration with CVSS scores. Submission severities are automatically mapped to the correct CVSS scores. This direct mapping forms the foundation for calculating the potential bounty of a submission.
However, if there’s a need for adjustments, program members can manually modify the CVSS input parameters or simply select the appropriate severity.
Note: In cases where no CVSS score is available, the minimum amount of the bounty range for the respective severity will be utilized. This ensures that there’s a fair and consistent base for rewarding all submissions, even when some data points may be missing or unavailable.
The advantages of ranged bounties
Introducing ranged bounties is a step forward in enhancing the Intigriti experience:
More granular reward mechanism: By setting bounty ranges, program members can better tailor rewards based on the severity of the submission.
Improved researcher experience: With a more flexible reward system, researchers can expect compensation that better reflects the value of their findings.
Smoother mediation: Range Bounties also promises smoother mediation possibilities based on CVSS uplift.
We are in the process of gradually introducing ranged bounties as a beta feature. Our objective is to collect valuable feedback to ensure its smooth operation, while preventing any unintended implications for organizations and researchers alike. If you are interested, we invite you to communicate your curiosity and inquiries to your customer success manager. Our support team remains at your disposal to address any questions or concerns you may encounter.
You may also like
Submission retesting is here
October 23, 2024
Introducing read-only user roles
April 17, 2024